● Problem
Therefore, I need to add a static route on my MacBook Pro.
● Solution
As you see below, I received the 192.168.2.0/23 route from the VPN, and it routes through the tunnel interface, utun3. First, disconnect the VPN and add a static route as described below.
To view the routing table:
You can use the following command "netstat -rn" and use 'grep' to filter with a specific network on the Terminal.macOS:/Users/analysisman% netstat -rn | grep 192.168.2.
192.168.2/23 1.1.1.1 UGSc utun3
▶ Method 1. Add a static route temporarily
To add a static route:
macOS:/Users/analysisman% sudo route -n add -net 192.168.2.0/24 192.168.1.1
add net 192.168.2.0: gateway 192.168.1.1
To verify the route you added:
macOS:/Users/analysisman% netstat -rn | grep 192.168.2.
192.168.2 192.168.1.1 UGSc en10
192.168.2/23 1.1.1.1 UGSc utun3
Now, 192.168.2.0/24 routes through my Ethernet interface, en10.
To delete a static route:
macOS:/Users/analysisman% sudo route -n delete 192.168.2.0/24
Password:
delete net 192.168.2.0
▶ Method 2. Add a static route persistently
To verify the route your interface:
macOS:/Users/analysisman% ifconfig -a
…snipped…
en10: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=6407<RXCSUM,TXCSUM,VLAN_MTU,CHANNEL_IO,PARTIAL_CSUM,ZEROINVERT_CSUM>
ether 00:24:9b:33:44:55
inet6 fe80::3f:e0d:4455:1ebe%en10 prefixlen 64 secured scopeid 0xb
inet 192.168.1.103 netmask 0xffffff00 broadcast 192.168.1.255
nd6 options=201<PERFORMNUD,DAD>
media: autoselect (1000baseT <full-duplex>)
To list devices (network adapters):
macOS:/Users/analysisman% networksetup -listallnetworkservices
An asterisk (*) denotes that a network service is disabled.
FT232R USB UART
USB 10/100/1000 LAN 2
USB 10/100/1000 LAN
USB 10/100/1000 LAN 3
USB 10/100/1000 LAN 4
USB 10/100/1000 LAN 5
Belkin USB-C LAN
Wi-Fi
iPhone USB 2
Bluetooth PAN
Thunderbolt Bridge
GlobalProtectDo
GlobalProtectDo 2
Or
To list devices with the interface number:
I prefer this command because it also shows the ethernet number (e.g. en10).
macOS:/Users/analysisman% networksetup -listnetworkserviceorder
An asterisk (*) denotes that a network service is disabled.
(1) FT232R USB UART
(Hardware Port: FT232R USB UART, Device: usbserial-AI06J8P5)
(2) USB 10/100/1000 LAN 2
(Hardware Port: USB 10/100/1000 LAN, Device: en8)
(3) USB 10/100/1000 LAN
(Hardware Port: USB 10/100/1000 LAN, Device: en10)
To add a static route permanently:
Usage:
networksetup -setadditionalroutes <networkservice> [ <dest> <mask> <gateway> ]*
macOS:/Users/analysisman% sudo networksetup -setadditionalroutes "USB 10/100/1000 LAN" 192.168.2.0 255.255.255.0 192.168.1.1
To verify the route you added:
macOS:/Users/analysisman% netstat -rn | grep 192.168.2.
192.168.2 192.168.1.1 UGSc en10
To delete this permanent route:
Use sudo networksetup -setadditionalroutes interface-name without the address, netmask, and gateway.
macOS:/Users/analysisman% sudo networksetup -setadditionalroutes "USB 10/100/1000 LAN"
To see all commands:
networksetup -help
Or
networksetup -printcommands
Thanks!
ReplyDeleteHi AnalysisMan
ReplyDeleteWould you be able to help me with where/which file stores the route information that is displayed when we execute netstat -ln
Regards
Vinay Chandran
In Macbook that is
ReplyDeleteI refer to this page every so often, I appreciate you keeping this up. Very helpful!
ReplyDeleteThanks for this post. It was very useful. Just my additional 2 cents -
ReplyDeleteWe can also get the configured permanent static routes using: networksetup -getadditionalroutes "USB 10/100/1000 LAN" .
Also, if we want to add multiple routes permanently then we can add additional tuples on the same command. Eg., sudo networksetup -setadditionalroutes "Wi-Fi" 192.168.230.0 255.255.255.0 192.168.20.82 192.168.68.0 255.255.255.0 192.168.20.82
Life saver hack! Thanks a lot!
ReplyDeleteThis comment has been removed by the author.
ReplyDeleteI'm doing something wrong. I work from home and connect to my company's VPN. I need an SMB connection to our file server, which has the IP 192.168.2.108. VPN My network at home has the IP 192.168.68.1. Tunnel Interface is utun3.
ReplyDeleteWhen I run the command
sudo networksetup -setadditionalroutes "VPN Work" 192.168.2.108 255.255.255.0 192.168.68.1
my browser traffic goes through the VPN instead of my home network.
What am I doing wrong?
This comment has been removed by the author.
ReplyDeleteI run a bittorent server for openSource Linux distros. Over time I have manually blocked literally thousands of leachers and downloaders who I do not want to have access my system, as well as blocking 10s of 1,000s of botnets by firewalls. I have migrated my firewall settings to static routes blocked and the performance is much better.
ReplyDeleteI'm just having trouble consistently adding ip6 addresses to be blocked.
Beforehand, I enter the thousands of addresses I have collected to be blocked into JSON array lookup tables, to be accessed by a python script that reads them and inserts them into an iterating command line by nested for-loops.
I always debug by entering the command first on a command line before automating the process.
Example:
I have been trying to set a permanent static route on my Mac using:
networksetup -setadditionalroutes "Ethernet" 2408:8266:: ffff:ffff:fffc:0000:0000:0000:0000:0000 ::1
which returns:
Route destination 2408:8266:: is not a valid IP address. ** Error: The parameters were not valid. ≈≈≈ That is not true as it is the top address of the CHINA UNICOM China169 Backbone server, from which I get scores of leachers and people who try to get past my firewall.
as well as trying:
ifconfig en0 inet6 2408:8266:: prefixlen 32 alias
which blocks everything in 2408:8266::/32 except 2408:8266:: itself.
My question is a) can networksetup -setadditionalroutes accept ip6 addresses and how?
b) if not, can ifconfig block the root address of 2408:8266::/32?
I would prefer a network setup solution because they much easier to clear than ifconfig ones. Removing ifconfig entries can take hours, one and a time whereas networksetup just clears the service by name (Ethernet, WiFi, VPN) in moments
On a parallel theme, is there away to wipe all the static route entries from my Mac, especially those put in by ifconfig in one fell swoop so I can re-enter them cleanly?
Help is much appreciated.